Spending some time in a Veeam lab now, and I believe I've discovered a fundamental misunderstanding on my part.
When I create a media pool, there is as we see an option to enable encryption and provide a password.
Any copy to tape job that writes to media in that pool will result in the copy on tape being encrypted - either by tape drive HW encryption or Veeam software encryption if the drive is incapable of HW encryption. I'm good there.
My eureka moment came when I went back and looked at every aspect of a copy to tape job. Know what I didn't
find? Any place in the tape job
to enable encryption and set a password.
So in essence, my original question was faulty. The only encryption option in the whole copy to tape process flow lies within the properties of the target media pool being used.
Now, referring back to one of the previous answers, yes, I do understand that:
- IF the source vbk was encrypted by a backup (or backup copy) job,
- AND the subsequent copy to tape job writes that encrypted vbk to a media pool with encryption enabled,
- THEN you will need both the tape media password and the backup job password to restore from tape because the data on tape is doubly encrypted.
Thank you everyone for your kind assistance. I apologize for my noob questions. Even though I have 20 years of BURA experience (DP, NBU, TSM, CV, etc.), I've so little stick time with Veeam that it's taking a bit to ferret-out features and how they integrate.